top of page

AT&T Data Breach Exposes Further Risk When Combined With Quantum Computing's and AI's Encryption Breaking Capabilities

This most recent compromise from AT&T not only exposes the standard disclaimers of PII, Personal Communications including phone call records, account information and the focus of this is SMS data being potentially exposed that can be broken with advanced methodologies even faster than ever before. Leveraging the fact of the unencrypted nature of SMS data, coupled with the fact that a vast majority of organizations from businesses providing bare minimum, high risk option for MFA. This creates a potential nightmare for companies using these services as the data in these messages could be used to break the security encryption or algorithms by using the sms codes in the message as a data set for a LLMs.

It has widely been known and set in many regulations that this is not a secure form of MFA validation, however this methodology has been widely adopted across all industries as the easiest barrier to entry in the MFA adoption scenario. SMS authentication as a primary authentication method for a "pass-wordless" sign-in for a large number of tech startups, retail and mobile applications, as well as some SSO authentication providers and even in some cases banking and loan companies. This creates an even higher risk due to obvious risk to the primary authentication cryptography or algorithm being easily compromised.

Quantum Computing

Quantum computing is an emerging hardware technology capable of solving computational issues that are intractable with conventional computers. It uses materials at an atomic or sub-atomic level to produce quantum states that enable complex calculations at much higher speeds than classical processors can handle. But its potential dangers are immense, prompting experts to devise cybersecurity measures as soon as possible in order to protect users.

AT&T experienced a data breach affecting almost all current and former cellular customers that compromised its third-party cloud platform where customer information was stored. While AT&T assisted those affected to reset their passcodes and contacted authorities to investigate, some information was leaked onto the dark web, putting customers' personal and financial security at risk.

The data released on the dark web included more than 73 million customers of AT&T current and former cellular customers, along with their phone numbers, names and account information. It also included cell site identification numbers associated with calls and text messages which could potentially track someone's location. Since then, AT&T has published a website where affected customers can check whether their data was compromised.

AT&T remains uncertain how the hack occurred, but has launched an investigation and engaged cybersecurity experts in order to fully comprehend and understand any criminal breach that might have taken place. They are strengthening security measures while continuing to closely monitor networks and system logs.

US Telco is among many companies struggling with breaches and the growing threat of quantum computing. A Forrester report published earlier this year noted that security leaders appear to be taking baby steps toward adopting post-quantum encryption (PQE), waiting for further developments, standards or vendor product announcements before moving forward with their implementation plans.

Cybersecurity experts advise organizations to make the transition to PQE now, by moving away from symmetric encryption - which quantum computers can easily break - and adopting more difficult-to-hack protocols such as PQE-based ones that utilize PQE technology. This transition will provide organizations a temporary respite until Quantum Day arrives when quantum computers will have enough computing power to crack existing asymmetric cryptography and algorithms.

AI

AT&T and mobile virtual network operators customers utilizing its networks were exposed in a major breach. The company announced Friday that threat actors illegally downloaded files containing call and text message records from a third-party cloud platform. AT&T says its data includes records of which AT&T cellular customers called or texted each phone number they contacted; but does not contain content of those calls and texts. Additionally, aggregated metadata such as total calls/texts made/sent and average call duration duration has also been included in the dataset. AT&T discovered a data breach in April and immediately initiated an investigation, engaging cybersecurity experts to assess its nature. Working alongside law enforcement authorities, AT&T identified those responsible and has assisted with arresting one individual thus far.

AT&T is actively notifying all affected customers, suggesting they reset their passcodes and monitor for suspicious activity in their accounts. According to the Justice Department's inquiry report, AT&T's cooperation has been "considered invaluable."

As cyberattacks continue to evolve in sophistication and scope, companies must work harder than ever to safeguard customer information. Artificial Intelligence can be an invaluable resource in this regard; however, companies must use it wisely and ensure adequate security measures are in place before using this powerful tool.

At AT&T, information was compromised due to an ineffective third-party security system, an issue which affects every industry and company alike and highlights the necessity of having robust security systems in place to avoid data breaches.

AT&T was hit with an elaborate cyberattack that would have been difficult to stop if their security had been stronger, yet nobody is certain exactly how many were affected as AT&T is only just now reporting it. According to them, two weeks ago data from customers was sold on the dark web, prompting AT&T to reset passwords and pay for credit monitoring for affected customers impacted. It's yet another breach highlighting why businesses must prioritize security as part of their technology strategies.

Data Sets of Verification Codes

AT&T recently began sending emails to around nine million of its customers alerting them of an attack against one of their marketing vendors, who contained Customer Proprietary Network Information (CPNI) including phone numbers, full names and emails addresses of affected individuals; while for some they also exposed plans, monthly charges, minutes used etc. As T-Mobile also suffered an identical data breach this year many are being extra vigilant against potential phishing scams.

AT&T customers are at a high risk due to personal identifiers present in hacked data sets. Impacted customers assume they have been breached and take measures such as changing passwords, enrolling for dark web monitoring services, freezing credit or freezing their credit accounts to protect themselves. Furthermore, individuals should review their privacy policies with their carrier operator and opt out from sharing any CPNI with third-parties. Additionally, corporations and users themselves need to switch away from SMS based validation as the message codes exposed in this data breach combined with Quantum's ability to easily break advanced cryptography and algorithms.

Businesses should monitor their networks, implement multi-factor authentication systems and adopt privileged access management solutions that are not dependent on SMS in order to minimize the effects of cyberattacks. Furthermore, it would be worthwhile assessing quantum computing technologies and understanding any ramifications this may pose on traditional encryption techniques.

Quantum computing presents organizations using AI with the threat of quantum-resistant cryptography being compromised by quantum attacks, necessitating them to integrate AI and quantum computing together in order to develop quantum-resistant cryptographic solutions. One solution might be using artificial intelligence combined with quantum computing for developing cryptographic systems resistant against quantum attacks.

Quantum computing and AI research is vital in order to maintain cryptography's future security. While this process will take some time, industries that rely on AI should prioritize algorithm security over data processing to protect themselves against growing quantum attacks while remaining competitive in this new era of data processing. By adopting quantum-resistant cryptography they can stay ahead of competition.

MFA SMS Risk

Millions of AT&T customers were recently informed that their personal data had been made public online, potentially leaving them vulnerable to identity theft and fraud. Although AT&T does not know who created or released this set of information - whether from them directly or one of their vendors - AT&T immediately initiated an extensive investigation and brought in outside computer forensics specialists and cybersecurity experts to determine how hackers gained entry.

AT&T's cloud data storage software, commonly used by corporate users such as tech firms and telcos for data analysis purposes, was compromised. Attackers likely gained entry through SQL injection attacks aimed at exploiting errors in database queries which can allow hackers to gain unauthorized access.

AT&T data breach serves as a stark reminder of the risks posed by loosening security measures, and one way to address them is with multi-factor authentication (MFA) that doesn't use SMS text codes for validation, which requires users to either enter a code or approve login requests through insecure and unencrypted mobile device messages after providing credentials, but instead using an authentication app, bio-metrics or physical security keys. It can help safeguard against hacking attacks like the one targeting Uber where malicious actors used MFA fatigue to deceive users into authorizing an authentication request they did not initiate themselves or this current exposure where the codes and messages that were compromised can help attackers not only identify the users and the systems they are trying to access, but the encryption of the MFA systems themselves when using SMS validtion.

MFA is a standard security measure in corporate systems and NIST has published publications advocating its inclusion in password policies and processes. Furthermore, vendors, partners and end-users that have integrated MFA into products and software they sell or distribute need to remove the capability for SMS as a method for validation; additionally MFA can be combined with additional security tools such as threat intelligence feeds or machine learning algorithms in order to increase its effectiveness. Implementation may prove challenging but must be prioritized as part of any comprehensive defense against the latest attacks on customers' accounts.

3 views0 comments

Opmerkingen


bottom of page